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PATENT 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



Applicant: 



Daugstrup 



Title: 



INFORMATION TECHNOLOGY INCIDENT RESPONSE AND 
INVESTIGATION SYSTEM AND METHOD 



Docket No. 



ENSUP0101WOUS 



PRELIMINARY AMENDMENT 



Commissioner for Patents 

U.S. Patent and Trademark Office 

Washington, D.C. 20231 

Sir: 

Preliminary to examination, please amend the subject application in the following 
manner. 



Please amend claims 3-4, 6-9, 12-15 and 17-18 as follows. A marked version of the 
amended claims appears in Appendix A attached hereto. 

3. (amended) The method according to claim 1 , wherein the security alert is 
generated in response to an action of an author, the author being anonymous. 

4. (amended) The method according to claim 1 , further comprising the steps 
of establishing a set of criteria for security alert handling and acting upon the security alert 
based on the set of criteria. 

6. (amended) The method according to claim 1 , further comprising the step of 
digitally notarizing at least one item of electronic evidence contained in the electronic 
evidence database. 



IN THE CLAIMS: 
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7. (amended) The method according to claim 1 , further comprising the steps 
of searching a selected electronic mail file for at least one specified word and storing the 
electronic mail file in the electronic evidence database if the at least one specified word is 
present in the electronic mail file. 

8. (amended) The method according to claim 1 , further comprising the step of 
alerting at least one person that an investigation file has been opened. 

9. (amended) The method according to claim 1 , further comprising the steps 
of storing a collection of security policies and support guidelines in a database and 
referring to the policies and guidelines when documenting the incident and administering 
to the investigation of the incident. 

12. (amended) The system according to claim 10, wherein the security alert is 
generated by an information technology security device or software tool. 

13. (amended) The system according to claim 10, further comprising an 
information technology policy administration means for storing a collection of security 
policies and support guidelines in a database, the policies and guidelines accessible from 
the incident administration means and the investigation administration means. 

14. (amended) The system according to claim 10, wherein the investigation 
administration means includes an electronic authorization means to approve an opening 
of an investigation file. 

15. (amended) The system according to claim 10, wherein the investigation 
administration means includes an electronic evidence database means associated with the 
electronic investigation file for maintaining items of electronic evidence relating to the 
investigation of the potential computer network misconduct incident. 
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17. (amended) The system according to claim 10, wherein the investigation 
administration means includes an electronic mail search tool for searching a selected 
electronic mail file for at least one specified word and storing the electronic mail file in an 
electronic evidence database if the at least one specified word is present in the electronic 
mail file. 



18. (amended) The system according to claim 10, further comprising an 
investigation alerting tool for alerting at least one person that an investigation file has been 
opened. 



REMARKS 

The amendment is submitted to delete multiple dependencies from the claims prior 
to calculation of the filing fee. If there are any additional fees resulting from this 
communication, please charge same to our Deposit Account No. 18-0988, our Order No. 
ENSUP0101WOUS. 

Respectfully submitted, 

RENNER, OTTO, BOISSELLE & SKLAR, LLP 




Date: March 28, 2002 M. David Galin; Reg. No. 41 ,767 

1621 Euclid Avenue 
Nineteenth Floor 
Cleveland, Ohio 441 15 
Telephone: (216) 621-1113 
Facsimile: (216) 621-6165 
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APPENDIX A 
PRELIMINARY AMENDMENT 



Applicant: Daugstrup 

™e: INFORMATION TECHNOLOGY INCIDENT RESPONSE AND INVESTIGATION 

SYSTEM AND METHOD 

Docket No.: ENSUP0101 WOUS 

A marked version of the amended claims appears below (deletions bracketed and 
struck through and additions underlined): 

3 - (amended) The method according to claim 1 [any of c l aims 1 to 2 ], wherein 
gj the security alert is generated in response to an action of an author, the author being 
&t anonymous. 

tj 4. (amended) The method according to claim 1 [ any of claims 1 to 3 ], further 

' comprising the steps of establishing a set of criteria for security alert handling and acting 
[J upon the security alert based on the set of criteria. 

Q 6. (amended) The method according to claim 1 [any of claims 1 to 5 ], further 

comprising the step of digitally notarizing at least one item of electronic evidence contained 
in the electronic evidence database. 

7. (amended) The method according to claim 1 [any of claims 1 to G ], further 
comprising the steps of searching a selected electronic mail file for at least one specified 
word and storing the electronic mail file in the electronic evidence database if the at least 
one specified word is present in the electronic mail file. 

8. (amended) The method according to claim 1 [any of claims 1 to 7 ], further 
comprising the step of alerting at least one person that an investigation file has been 
opened. 
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APPENDIX A 
PRELIMINARY AMENDMENT 



9. (amended) The method according to claim 1 [any of claims 1 to 0 ], further 
comprising the steps of storing a collection of security policies and support guidelines in 
a database and referring to the policies and guidelines when documenting the incident and 
administering to the investigation of the incident. 

12. (amended) The system according to claim 10 [any of claims 10 to 11 ], 
wherein the security alert is generated by an information technology security device or 
software tool. 

13. (amended) The system according to claim 10 [any of claims 10 to 12 ], further 
comprising an information technology policy administration means for storing a collection 
of security policies and support guidelines in a database, the policies and guidelines 
accessible from the incident administration means and the investigation administration 
means. 

14. (amended) The system according to claim 10 [any of claims 10 to 13 ], 
wherein the investigation administration means includes an electronic authorization means 
to approve an opening of an investigation file. 

15. (amended) The system according to claim 10 [any of claims 10 to 14 ], 
wherein the investigation administration means includes an electronic evidence database 
means associated with the electronic investigation file for maintaining items of electronic 
evidence relating to the investigation of the potential computer network misconduct 
incident. 

17. (amended) The system according to claim 10 [any of claims 10 to 10 ], 
wherein the investigation administration means includes an electronic mail search tool for 
searching a selected electronic mail file for at least one specified word and storing the 
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APPENDIX A 
PRELIMINARY AMENDMFNT 



electronic mail file in an electronic evidence database if the at least one specified word is 
present in the electronic mail file. 

18. (amended) The system according to claim 10 [any of claims 10 to 17 ], further 
comprising an investigation alerting tool for alerting at least one person that an 
investigation file has been opened. 
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INFORMATION TECHNOLQGYJQSODENT RESPONSE AN D INVESTIGATION 



This application claims priority form copending U.S. provisional application serial 
number 60/156,912, filed October 1, 1999, entitled, "SCORPIAN (Secure Corporate 
Investigations Automation)", incorporated herein by reference in its entirety. 



TECHNICAL FIELD 

The present invention generally relates to information technology and, more 
particularly, to a system and method for tracking, responding to and investigating incidents 
involving of information technology policy. 



BACKGROUND ART 

There is an ever present demand for information technology security tools and 
techniques for protecting against, detecting and responding to incidents involving potentially 
criminal and other types of culpable behavior. Information technology, as used herein, relates 
to the collection, organization, handling, storage and communication of information, such as 
data, computer files, algorithms, executable code and instructions, data packets, documents, 
electronic mail ("e-mail") and the like (collectively referred to below as electronic 
information or electronic documents). Information technology generally refers to electronic 
media used in connection with a computer or computer network, but is not limited thereto. 

Most organizations, firms, companies, government agencies and institutions have 
policies, standards, procedures, rules and regulations concerning the behavior of their 
employees, staff members, volunteers, service providers and third parties. These policies 
may relate to matters including information technology security policies, standards and 
procedures, corporate espionage, sexual harassment, discrimination, fraud, embezzlement and 
the like. These entities are also concerned with civil or criminal actions that may be brought 
against the entity for causes of action ranging from insider trading to wrongful termination. 
In addition, local, state and federal laws and government agency regulations may govern 
people's conduct. 
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Presently, computers are used by persons who may violate an organization's policies, 
a criminal law or regulatory rule, or may be used to engage in wrongful conduct presenting 
the organization with a civil remedy. The use of a computer during the commission of these 
activities may leave evidence in the form of computer logs, files, e-mail and the like. 
Alternatively, computers may be used in such a way to leave evidence useful in the defense of 
a criminal or civil action brought against the organization. 

To date, information security tools have focused on protection against and the 
detection of computer related threats. Common protection schemes include establishing 
information technology protocols, isolation techniques (e.g., the establishment of firewalls), 
access limitations (e.g., password control and parental Internet control) and the use of 
encryption. Detection schemes include hacking detection algorithms, e-mail parsing and 
content filtering, security sweeps and human reporting (e.g., "whistle-blowing"). 

However, very little attention has been given to automating the response to and the 
investigation of an incident which potentially violates one or more of the foregoing 
regulations and/or requires the analysis of electronic documents. Therefore, there exists a 
need in the art for an information technology incident response and investigation tool. 

SUMMARY OF THE INVENTION 

According to one aspect of the invention, the invention is a method of responding to 
an information technology related incident. The method having the steps of receiving a 
security alert, the security alert being displayed on an incident response and investigation 
system for analysis by an administrator; documenting the incident based on information 
contained in the security alert; opening an investigation file to administrate an investigation 
of the incident; and collecting items of electronic evidence and mamtaining the evidence in an 
electronic evidence database associated with the investigation file. 

According to another aspect of the invention, the invention is an incident response and 
investigation system. The system having an incoming security alert administration function 
for receiving and analyzing security alerts, each security alert containing information related 
to an event, the event being related to an information technology policy of an organization; an 
incident administration function for creating an incident file to document the event; and an 
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investigation administration function for administering an investigation of the event 
documented in the incident file. 

BRIEF DESCRIPTION OF DRAWINGS 

These and further features of the present invention will be apparent with reference to 
the following description and drawings, wherein: 

FIG. 1 is a block diagram of an incident response and investigation system; 

FIG. 2 is a flow chart of the general operation of the incident response and 
investigation system; 

FIG. 3 is a flow chart of an incoming security alert administration function of the 
incident response and investigation system; 

FIG. 4 is a graphical illustration of an interactive display for the incoming security 
alert administration function; 

FIG. 5 is a flow chart of an incident adniinistration function of the incident response 
and investigation system; 

FIG. 6 is a graphical illustration of an interactive display for the incident 
administration function; 

FIG. 7 is a flow chart of an investigation administration function of the incident 
response and investigation system; 

FIG. 8 is a graphical illustration of an interactive display for the investigation 
administration function; 

FIG. 9 is a flow chart of a digital notary function of the incident response and 
investigation system; and 

FIG. 10 is a graphical illustration of an interactive display for an information 
technology policy administration function of the incident response and investigation system. 

DISCLOSURE OF THE INVENTION 

In the detailed description which follows, identical components have been given the 
same reference numerals, regardless of whether they are shown in different embodiments of 
the present invention. To illustrate the present invention in a clear and concise manner, the 
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drawings may not necessarily be to scale and certain features may be shown in somewhat 
schematic form. 

Referring to FIG. 1, a block diagram of an incident response and investigation system 
10, or simply the system 10, is illustrated. As used herein, the term incident is intended to 
5 include, but is not limited to, any activity relating to the potential breach of one of the 

policies, procedures, rules, laws or regulations mentioned in the background section above^ 
Briefly, the system 10 is a computer tool having a graphical user interface to assist an 
information technology security administrator to securely create and maintain databases for 
security alerts, incidents, investigations, electronic evidence, reports, and information 

10 technology policies. 

The system 10 includes a computer system 12. The computer system 12 has a 
u ! processor 14 for executing instructions, usually in the form of computer code, to carry out a 
f;Q specified logic routine and a memory 16 for storing data, software, logic routine instructions, 
;g computer programs, files, operating system instructions, and the like. The memory 1 6 can 

1 1 comprise several devices and includes, for example, volatile and nonvolatile memory 
components. Volatile components typically do not retain data values upon a loss of power. 

I :j Nonvolatile components retain data upon a loss of power. Thus, the memory 1 6 can be, for 
j:| example, random access memory (RAM), read-only memory (ROM), hard disks, floppy 
I disks, compact disks (including, but not limited to, CD-ROM, DVD-ROM and CD-RW), 
20 tapes, and/or other memory components, including drives and players for these memory 
types. 

The processor 14 and the memory 16 are coupled to a local interface 18. The local 
interface 1 8 can be, for example, a data bus with an accompanying control bus, or a network 
between a processor and/or processors and a memory or memories. The computer system 12 
25 also has a video interface 20, a number of input interfaces 22, a modem 24, a number of 
output interfaces 26, each being coupled to the local interface 18. 

The system 10 also has a display 28 coupled to the local interface 1 8 via the video 
interface 20. Although shown as a cathode ray tube (CRT), the display device may 
alternatively be, for example, a liquid crystal display (LCD), a plasma display, an electro- 
30 luminescent display, indicator lights, or light emitting diodes. In addition, the system 10 has 
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several input devices, including, but not limited to, a keyboard 30, a mouse 32, a microphone 
34, and a scanner 36, each being coupled to the local interface 18 via the input interfaces 22. 
The modem 24 is coupled to an external network 38 enabling the computer system 12 to send 
and receive data signals, voice signals, video signals and the like via the external network 38 
5 as is well known in the art. The external network 3 8 may be, for example, the Internet, a 
wide area network (WAN), a local area network (LAN), direct data link or other similar 
network. It is noted that the system 10 can be accessed and used by a remote user via the 
external network 38 and modem 24. The system 1 0 can also include output devices coupled 
to the local interface 1 8 via the output interfaces 26, such as audio speakers 40, a printer 42, 
10 and the like. 

Z{ The computer system 12 is programmed to display and execute an automated incident 

:g response and investigation software tool in graphical user interface (GUI) format. 

Alternatively, the computer system has logic stored in the memory 1 6 capable of being 
£t executed to display and function as the automated incident response and investigation 
15 software tool. 

With additional reference to FIG. 2, a general operational logic 50 of the system 10 
and associated software tool is illustrated. Upon the detection of an incident in step 52, an 
;*j alerting source (not illustrated) will generate a security alert and relay the security alert to the 
computer system 12 for processing. It is noted that the alerting source can be an individual, 

20 an individual using a device or an automated device. If the alerting source is an automated 
device, the alerting source will generally be separate from the system 10. 

Persons, such as employees, human resource professionals, legal counselors, law 
enforcement officials, and members of another organization or company, may notice or 
become aware of an incident. The person may elect to send a security alert directly to the 

25 system 10. Alternatively, the person may elect to notify a superior or a system 10 

administrator who sends the security alert to the system 10. Security alerts can be presented 
to the system 1 0 in a number of ways, including direct entry using the computer systems' s 10 
input devices, e-mail, entering information in a web page (using, for example, hypertext 
transfer protocol, or HTTP), pressing an alarm button, and the like. It is noted that e-mails 

30 can be addressed to the system 10 using an anonymous e-mail tool, and internet or intranet 
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alerts can also be sent to the computer system 10 via anonymous electronic transmission. 
Should the author of the e-mail specify that the e-mail containing the security alert is to be 
sent anonymously, an e-mail logic routine will strip or modify any headers identifying the 
source of the e-mail before delivery to the system 10. 
5 Security alerts can also be presented to the system 1 0 by an automated or semi- 

automated detection device configured to detect a potential incident in real time. Example 
detection devices include software tools and firewalls programmed to detect certain activities, 
such as the downloading of pornography, suspicious financial transfers, and the hacking of a 
computer system. Upon the detection of an incident, the detection device will configure a 

10 data packet and send the data packet to the system 10 to alert the system 10 of the incident. 
The data packet can be in a variety of formats including an e-mail or codes to be interpreted 

;| by the system 10. 

CO In step 54, the system 10 receives the security alert from either an external source as 

H described above via the modem or by direct entry using the input devices, such as the 
f? keyboard 30, mouse 32 and/or microphone 34. Speech received via the microphone 34 can 

be converted into text using a voice recognition application. 
U| In an alternative configuration, the security alerts are initially sent to an alert 

, ; processing system that is separate from the system 10. The alert processing system can 

conduct some preliminary analysis of the security alerts, consolidate alerts relating to the 
20 same incident, eliminate duplicate alerts, filter the alerts, prioritize the alerts, temporarily 

store alerts and/or attend to the security alert in the manner of the system 10, especially when 
the system 1 0 is unattended. The alert processing system can be staffed by a person at all 
times and can be configured to receive alerts for multiple entities having the system 10, 
thereby alleviating full-time staffing of the system 10. Once security alerts are processed by 
25 the alert processing system, the alert processing system 10 sends a secure security alert or 
alerts to the system 10 for further attention by the system 10 administrator as described 
herein. 

Security alerts received by the system 10 are documented and subsequently managed 
using an incoming security alert administration function as will be described in more detail 
30 below with respect to FIGS. 3 and 4. 
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Using an incident administration function, a system 10 administrator documents 
incidents related to incoming security alerts in step 56. The user can configure an incident 
file for each incoming security alert or can group security alerts as being related to one 
incident and configure an associated incident file. The documentation and subsequent 
5 management of incident files will be discussed in more detail below with respect to FIGS. 5 
and 6. 

Each incident file is reviewed, either through programming of the system 10 or by 
human analysis, to determine if an investigation should be opened to examine the incident in 
greater detail (step 58). Although each incident file may not be investigated, the incident files 
1 0 will remain as historical documentation of the incident. A set of criteria can be established to 
"{ determine whether the incident should be investigated. For example, certain alerts generated 
=| by a firewall may not require further attention, but an e-mail containing certain accusations 
*y may be automatically flagged as warranting investigation. If an investigation is not 
£t warranted, the incident file will become dormant and the system will await new security 
.1 5 alerts. The identity of the person(s) tasked with deciding whether an investigation is 
"f warranted may be restricted to selected individuals and validated with the use of a password 

protection scheme or a digital signature scheme. 
;*| If an investigation is warranted based on the nature of the associated incident in step 

58, the system 1 0 can be configured to not proceed unless approval to open the investigation 
20 is granted by at least one person in a position of proper authority (step 60). The system 1 0 
can be configured to require approval for all potential investigations or just certain types of 
investigations. If approval is not required or if approval is required and granted (step 62), the 
system 10 will open, or document, an investigation file using an investigation administration 
function in step 64. If approval is required and not granted in step 62, the associated incident 
25 file will become dormant and the system will await new security alerts. As a safeguard, the 
system 10 can be configured to require more than one person's approval to open an 
investigation based on an incident file. In addition, the identity of the person(s) tasked with 
granting investigation approval may be validated with the use of a password protection 
scheme or a digital signature scheme. 
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The documentation and subsequent management of investigation files using an 
investigation administration function of the system 10 will be discussed in more detail below 
with respect to FIGS. 7 and 8. It is noted that investigations may also be opened for events 
which do not spawn a security alert or an incident file. For example, if a lawsuit is brought 
against a corporation using the system 10, the corporation may be interested in analyzing 
information technology matters potentially related to the lawsuit. In this instance, the 
features of the investigation administration function may be useful to the corporation and an 
investigation file may be opened by bypassing steps 52 to 56. 

The administration of an investigation file includes various tasks which can be 
automated, at least in part, using the investigation administration function of the system 10 
(step 66). For example, the administration of an investigation file can include alerting 
individuals and/or organizations that make up a response team tasked with reacting to the 
incident and conducting the investigation. 

The investigation administration function is also capable of opening an evidence 
database for each investigation file. It is noted that the evidence database for each 
investigation file is logically or physically separated from every other investigation's 
evidence database to assist in preserving the integrity of the evidence databases. The 
evidence database for each investigation file may contain a catalog of physical evidence 
items. The evidence data is also a repository for electronic copies of electronic files that have 
been copied or confiscated during the investigation. The electronic files can be any type of 
file in computer readable format, including but not limited to e-mail files, firewall logs, word 
processing or spreadsheet documents, logs from computer forensic tools, and specific 
computer program application logs. Part of the evidence collected will usually include the 
original security alert(s) received in step 54. 

The adrninistration of an investigation file can also include digitally notarizing 
selected pieces of electronic evidence. Digital notarization techniques are known in the art 
and include the digital authentication system described in U.S. Patent No. 5,781,629, 
incorporated herein by reference in its entirety. As will be discussed in more detail with 
respect to FIG. 9, digital notarization of electronic files provides a reasonably secure means 
of subsequently verifying the contents of a particular electronic file at the time of 
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notarization. This record may be desirable to help validate the electronic evidence at a later 
date. For example, the digital notarization may assist a witness in authenticating a particular 
electronic file to enhance the admissibility of the electronic file into evidence during a legal 
proceeding. 

5 It is noted that the system 10 can be used to create a database separate from any 

investigation. Separate databases can be used to maintain a library of electronic documents 
related to a certain project, corporate department and the like. The electronic documents 
contained in the database can also be notarized using the digital nStary function. 

In addition to the incoming security alert administration function, the incident 
1 0 administration function and the investigation administration function, the system 1 0 is 

provided with an information technology policy administration function. At any point during 

3 the use of the system 10, the system 10 administrator can use and consult the information 

; technology policy administration function. The information technology policy administration 

function will be discussed in more detail below with respect to Fig. 10. Briefly, the 

31 5 information technology policy administration function is a repository of form templates, 

security policies for the organization, and guidelines and checklists to be followed during an 

" j investigation or before an investigation is opened. The information technology policy 

administration function also has adrninistration functions related to the foregoing repositories 

:;3 of files. 

20 The foregoing aspects of the system 1 0 will be discussed in more detail below. As 

will be apparent to one skilled in the art, the system 10 is a tool for an organization to 
automate incident response and investigation activities and provides a secure platform for 
investigators to share information and conduct analysis of accumulated data for current and 
past incidents and investigations. 

25 Since the system 1 0 has a variety of database and documentation features, it is 

desirable that the incident response and investigation software tool of the system 10 be built 
on a database and document management platform to provide the user with additional 
features and functions inherent to the underlying platform. An example of such a platform is 
LOTUS NOTES available from Lotus Development Corp., 55 Cambridge Parkway, 

30 Cambridge, MA 02142. 
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In addition, the incident response and investigation software tool preferably provides a 
graphical user interface to the system 1 0 administrator for carrying out the functions of the 
general operational logic 50 as illustrated in FIG. 2 and the additional functions and features 
discussed below. As is known in the art, the GUI includes a menu bar disposed across the top 
5 of the display 28 having a series of pull down menus from which the system 1 0 administrator 
can choose various features of the database and document management platform and/or the 
incident response and investigation software tool. As is appropriate, the GUI will also have 
pop-up menus to illustrate selection choices when a certain feature is selected, scroll bars 
allowing the user to navigate through a displayed window, drop-down menus which drop 
1 0 down from the menu bar or other selected area, and content sensitive menus for highlighting 
3 options available or unavailable to the user depending upon the context of the selected 
Pi content sensitive menu. 

Referring to Fig. 3, an incoming security alert administration function logic 1 00 is 
D illustrated. The logic 100 starts in step 102 by receiving a security alert. As discussed above, 
"1 5 the alert can be an incoming electronic mail message or a data message sent by a computer or 
= B i software tool over the external network 38 and into the computer system 12 via the modem 
\{ 24. Alternatively, the security alert can be received by direct entry into the computer system 
3 12 via the keyboard 30, the mouse 32, the microphone 34, or other input device. 

With additional reference to Fig. 4, when a security alert is received, the system 10 
20 will send an incoming alert indication to an incoming alert administrator in step 1 06. The 

mcoming alert indication can be in the form of one or more of an audible sound, flashing light 
or display 28 screen icon, an alphanumeric page sent to a personal pager, an electronic mail, 
facsimile or the like. The incoming alert indication is intended to provide an indication to the 
administrator that a security alert has been received and is awaiting attention. The incoming 
25 alert indication can be sent to one or more persons. The mcoming alert indicator can be sent 
to a selected individual, or individuals, based on the type of security alert, the source of the 
alert, or the individual's expertise or responsibilities. 

Also in step 106, the incoming security alert is displayed on an incoming security alert 
display screen 104. The alerts are displayed as line items 108 on the display screen 104. 
30 Each line item contains an indication of the status and/or source of the security alert, the date 
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and time the alert was received by the computer system 12, or alternatively, the data and time 
of the incident for which the security alert relates to, and subject matter of the alert. Each 
alert displayed as a line item 1 08 can be opened into a viewing window (not shown) to 
display more information related to the security alert or the content of a message contained 
within the security alert. The alert can be opened, for example, by directing a mouse pointer 
109 displayed on the display 28 with the mouse 32 to the desired line item 108 and clicking a 
mouse 32 button to select the security alert associated with the line item 108. This action can 
directly open the security alert into the viewing window or specify which of the line items 
108 the system 10 is to open following the selection of an action button, such as a review 
document button 110 used to open the security alert into the viewing window. 

Once a security alert is opened in the viewing window, the system 10 administrator 
can analyze the security alert to determine the nature of the incident reported by the security 
alert (step 106). In step 112, the system 10 administrator will then decide whether to take 
action on the security alert. As a safeguard, more than one person may be required to 
determine whether to take action based on the security alert. Alternatively, the decision 
making process can be automated and based on information contained in the security alert or 
the source of the security alert. If a decision is made not to take action in step 1 12, the alert 
will be stored in the memory 16 in a no action taken log (step 114). If, however, action is to 
be taken in step 1 12, the system 10 administrator will proceed as desired, preferably 
following established information technology security procedures (step 1 16), 

Example actions in step 1 16 include opening an incident file using the incident 
administration function. The incident administration function will be discussed in more detail 
below. An incident file may be created by selecting an open new incident file button 118 
appearing on the incoming security alert display screen 104. Selection of the open new 
incident file button 118 will link the user to a display screen specified by the system 10, such 
as the incident administration function or an incident file viewing/editing window. 

Other action in step 116 can include associating the alert with an existing 
investigation file or incident file, should the alert contain information related to an existing 
incident file or investigation file. A security alert can be associated with an incident file or an 
investigation file by selecting an associate alert button 120 appearing on the mcoming 
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security alert display screen 104 and specifying the target incident file or investigation file. 
Once action has been taken on a security alert, the security alert and the action taken is stored 
in the memory 1 6 in an action taken database (step 122). 

With continued reference to Fig. 4, the user can select among view buttons 124 
displayed on the incoming security alert display screen 104 to select among new security 
alerts (i.e., received but unprocessed security alerts), security alerts saved in the action taken 
database and security alerts saved in the no action taken database. The incoming security 
alert display screen 104 is also provided with link buttons 126 so that the user can select 
among the various administration functions of the incident response and investigation 
software tool, including the incoming security alert administration function, the incident 
administration function, the investigation administration function, and the information 
technology policy administration function. Although not illustrated, the link buttons 126 can 
have graphical icons to represent the destination of the link. 

Referring now to Fig. 5, an incident administration function logic 150 is illustrated, 
and, with additional reference to Fig. 6, an incident administration display screen 154 is 
illustrated. If a new incident file is to be opened (step 152), the system 10 administrator can 
select an open new incident file button 156 to access an incident file viewing window (not 
shown). It is noted that the create incident file button 1 1 8 on the incoming security alert 
display screen 104 (FIG. 4) invokes similar operation to the button 156. The following 
incident file creation and documentation procedure is conducted in step 158 of the incident 
administration function logic 150. 

The incident file viewing window will contain information relating to the incident at 
hand and/or fields to be populated with information relating to the incident. This information 
can include an incident identification number which is either selected by the system 10 
administrator or automatically determined by the system 10. The information also includes 
an incident name, such as website hacked, falsified expense account, or harassing e-mails. 
The incident file will also identify employees involved or suspected to be involved in the 
incident, the information source of the security alerts, and which personnel has responsibility 
to act upon the incident. The information also includes an incident status, including new 
incident, incident awaiting approval, investigation approved, investigation denied, under 
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investigation, and incident resolved. If the incident has been approved for investigation, 
denied for investigation, or resolved, an associated approval date, denial date or resolution 
date may also be placed in the incident file. The incident may also be assigned a priority such 
as an emergency, high priority, normal priority, or low priority. The incident may also be 
5 categorized such as computer intrusion, employee conduct or the like. Subcategories may 
also be specified, such as internal threat, external threat, potential criminal conduct, violation 
of company regulations and the like. The incident file may also contain an incident 
description containing text entered by the system 10 administrator with any information 
related to the incident. The incident file may also contain a list of incident events and any 
1 0 additional comments, notes or conclusions. 

The incident file can be read and write access controlled using password or digital 
signature schemes. Accordingly, the incident file will contain information related to those 
I with read access and those with write access (those with the ability to edit the incident file). 
! The incident file will also contain data on when the incident file was created and by whom, 
jl 5 and will contain information on when the incident file was modified and by whom. 

Once an incident file has been opened, the decision to open an investigation is 
conducted in step 160. Step 160 relates to steps 58 through 62 illustrated in Fig. 2 and 
! discussed in more detail above. Therefore, the decision process of whether to open an 
E investigation will not be discussed in detail at this point. However, the system 10 
20 administrator can access an investigation approval routing form by selecting an approval 
button 165 displayed on the incident administration display screen 154. The investigation 
approval routing form can be transmitted to those in charge of deciding whether to open an 
investigation. The form can be signed with pen and ink, approved using a password or digital 
signature, or denied using the same methods. If an investigation is not opened, either because 
25 an investigation is not warranted or an investigation has been denied, the incident file will be 
stored in an incident file database in step 162 for review at a later date, if desired. If an 
investigation is to be opened, the system 10 administrator can select an open investigation 
button 164 displayed on the incident administration display screen 154. The open 
investigation button 164 will serve as a link to the incident administration function as will be 
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described in more detail below. The system 10 will lock the system 10 adrninistrator's ability 
to open an investigation if approval has not been granted. 

The content of a selected incident file may be updated in step 166, such as changing 
the incident file priority, incident file status, adding description details, and so forth. The 
incident file can be accessed for revision by selecting an edit button 168 displayed on the 
incident administration display screen 154. If the incident file is password protected under 
the write access control, the user will be prompted to enter a valid password or digital 
signature after selecting the edit button 168. The incident administration function will also 
allow a person with read access privileges to review an incident file by selecting a review 
button 170. 

Searches of the incident file database for a particular incident or incidents having a 
particular item in common can be searched for using a search tool accessed by pressing the 
search button 172. To assist in searching, the incident administration function logic 1 50 can 
also be provided with an indexing tool so that the system 10 administrator can associate 
incident files with selected search terms. 

The incident administration function also allows for the generation of reports (step 
173). For example, a report can be generated providing details of a particular incident file by 
selecting a create incident report button 174. An incident report content selection window is 
then displayed for the system 10 administrator to select which items of information contained 
in the incident file are to printed or displayed. Alternatively, the reports may be generated 
based on more than one incident, for example, statistical reports highlighting the number of 
incidents in a particular incident category or assigned to a certain status, and reports 
highlighting trends or other correlated data. This type of report can be generated by selecting 
a create executive report button 176 displayed on the incident administration display screen 
154. 

The incident administration display screen 154 displays selected incident files as line 
items 178. Each line item 178 can be displayed under a heading 179 relating to the status or 
priority of the associated incident file. Each line item 178 can contain items of information, 
such as an incident name, incident identification number, date created and by whom, and so 
forth. Each heading 179 can also contain information, such as the number of incident files 
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under the heading 1 79 and the percentage of incident files under the heading as a function of 
all the incidents. 

The incident administration display screen 154 is provided with view buttons 180 to 
select different views, such as all of the incident files categorized under status headings, 
priority headings, or category headings, new incidents, all incidents waiting to be approved, 
all approved incidents, all denied incidents, all incidents under investigation, and all resolved 
incidents. If the incident files are displayed under a heading 179, the heading 179 may be 
provided with an expand or contract button 184, as is well known in the art, to select between 
displaying the incidents under the heading 179 or not displaying the incidents under the 
heading 179. Link buttons 126 (described above) may also be provided as part of the incident 
administration display screen 154. 

Each time an incident file is opened or modified, the incident administration function 
logic 150 will store or update the incident file in step 186. 

Referring now to Fig. 7, an investigation administration function logic 200 is 
illustrated for the incident response and investigation system 10 and, with additional 
reference to Fig. 8, an investigation administration display screen 206 is illustrated. Upon the 
opening of an investigation file in step 202, an investigation documentation window is 
displayed to the operator (not shown) for providing information to document the investigation 
file in step 204. The investigation documentation window can be accessed by selecting an 
open investigation file button 208 or open investigation file button 164 (FIG. 6). It is noted 
that an existing investigation file can be reviewed by selecting a review investigation file 
button 210 or edited by selecting an edit investigation file button 212. The buttons 208, 210 
and 212 can be provided with the security lock-out and read/write access features discussed 
above (i.e., approval requirements, password requirements, etc.). 

Each investigation file contains information such as an investigation identification 
number, an investigation name, employees or other persons who are the subject of the 
investigation, and the source or sources of information relevant to the investigation, including 
persons to be interviewed and equipment to be analyzed. The investigation also contains 
information related to the investigator or investigators and any sub-teams or specialists to be 
involved with the investigation. The investigation file also contains information regarding 
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the investigation status, such as open or closed. The priority of the investigation is also 
contained in the investigation file, such as emergency, high, normal or low priority. The 
investigation file may be assigned an activity state such as active, idle, on hold or closed. 
Investigations may also be categorized, such as computer intrusion, employee conduct, and 
5 the like. Investigations may also be sub-categorized. Example sub-categories for a computer 
intrusion category would include internal threat, external threat, and so forth. 

The investigation file includes an investigation description containing general 
information pertaining to the investigation. In addition, the investigation file contains a 
section for significant investigation events which will be completed as the investigation 

10 progresses. A section for comments, notes and conclusions is also provided. A section for 
investigation characteristics and classifications can be provided to provide for additional 

;jj elaboration on non-technical characteristics of the investigation, such as remarks related to 

4 insider assistance of an external computer intrusion threat. 

'i The investigation file provides for a number of technical classifications such as 

"J 5 technology type, including various items of software and/or hardware. Technical 

classifications also include technological function such as an electronic mail gateway or 
4 firewall. Technical classifications also include any computer environments affected, the 
J vendors of software and hardware which may be affected, the operating systems that may be 
« affected, computer programs, applications and application servers potentially involved in the 

20 incident generating the investigation, and middle-ware or other software related to the 

investigation. 

The investigation file also includes read and write access controls similar to those 
described above for incident files. Finally, the investigation file includes documentation of 
who opened the investigation file and when, and who has modified the investigation file and 
25 when those modifications were made. 

Once an investigation file has been opened, it may desirable to inform certain 
individuals, or groups of individuals, that an incident has occurred and an investigation is 
currently pending to study the incident. The system 10 administrator may send an alert in 
step 214 (Fig. 7) by selecting an alert button 216 (Fig. 8). Upon selecting the alert button 
30 216, the system 10 will display an alert window (not shown) on the display 28. The alert 
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window will allow the user to select the recipients of the alert by either specifying the 
recipients or selecting among groups of pre-defined recipients. The pre-defined groups 
include a steering committee consisting of a group of persons internal to the organization and 
typically including high-level managers or decision makers. The groups also include a 
response team which is usually an internal group of persons related to the organization and 
includes people with technical skill to coordinate and carry out a response to the incident and 
conduct the investigation. The groups also include an emergency response team made up of 
either internal or external persons having a very high skill level to address the incident at 
hand and/or resources to respond very rapidly to the incident. The groups also include 
authority personnel, such as a human resources department, internal security and/or external 
law enforcement. External law enforcement includes local police departments and the 
Federal Bureau of Investigations (FBI) who can be notified if the situation may require the 
assistance of these authorities or if their knowledge of the incident is desired. 

The alert window can be used to select all or some of the individuals previously 
defined as being part of the selected group. The investigation identification number is also 
associated with the alert and any other additional instructions or comments to be sent to the 
alertees. The system 10 administrator can also select how the alertees are to be informed of 
the incident and pending investigation. Alert methods include sending an alpha-numeric 
page, sending an e-mail, telephoning the alertee, personally visiting the alertee, and the like. 
In an alternative arrangement, an alert can be generated upon the identification of an incident 
without waiting for an investigation file to be opened. This is useful in situations where time 
may be of the essence. 

With continued reference to Figs. 7 and 8, an electronic evidence database can be 
created for the investigation (step 218). The evidence database is a repository for any 
electronic documents related to the investigation including, but not limited to, e-mails, e-mail 
server logs, firewall logs, documents, contents of hard drives, application files such as word 
processing documents and spreadsheets, and any other information saved on computer- 
readable media. The electronic documents can also include paper documents which have 
been scanned by the scanner 36 and stored on the memory 16. 
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The evidence database can be created by selecting a create evidence database button 
220 on the evidence administration display screen 206. Upon selecting the create evidence 
database button, an evidence window (not shown) will be displayed on the display 28. The 
evidence entered into the database can be categorized and displayed by status such as analysis 
5 pending, notarization, notarized and awaiting analysis, analyzed and not notarized. More 

specifically, each item of evidence is listed in line items under a status heading. The evidence 
may also be displayed by category or type of evidence, by author, or a listing of all 
documents. For convenience, the evidence items may be indexed and searchable. The 
evidence database can also store and display comments related to selected items of evidence. 

1 0 The evidence display window can include buttons which link the user to evidence 

administration tools (step 219), such as a comment on evidence button and respond to 
comment button for respectively documenting comments on a certain piece of evidence and 

| entering a response to those comments. A new evidence button may also be provided to enter 
a new piece of evidence into the evidence database and key in related information, such as the 

jl5 date the evidence was seized, a title for the evidence, the person seizing the evidence, and the 
person, device or software thought to have created the evidence. 

=1 A digital notary button is also provided so that, once an evidence item is entered into 

1 the evidence database, the item can optionally be digitally notarized to create a record of the 
contents of the evidence item at the time of notarization (step 220). Digital notarization 

20 techniques are known in the art and include the digital document authentication system 
described in U.S. Patent No. 5,781,629, incorporated herein by reference in its entirety. 

Referring to FIG. 9, an example flow chart for a digital notary function logic 222, is 
illustrated. Briefly, the digital notarization function includes creating a fingerprint of the 
electronic document (step 224). The fingerprint is usually created by sampling selected 

25 portions of the document and storing those sections in a separate file. Next, the fingerprint is 
transmitted to a notary function (step 226). The notary function is resident either in the 
computer system 12 or on a separate computer system connected to the computer system 12 
via the external network 38. The fingerprint is time-stamped by the notary function (step 
228). The time-stamped fingerprint is appended with hash codes which typically are derived 

30 from the fingerprint, time-stamp and/or other unpredictable data values (step 228). The 
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fingerprint, time-stamp and hash values are assembled into a notary record which is logically 
associated with the original electronic document (step 230) and stored in the memory 16 (step 
232). 

Referring back to FIGS. 7 and 8, the evidence administration functions of the system 
5 10 include an electronic mail analysis function (step 238). The electronic mail analysis 
allows the system 10 administrator to specify a list of keywords by entering the words or 
making menu selections. Once the keywords are entered and/or selected, the system 10 
administrator can identify a group of electronic mail documents. Then, system 10 will search 
the group of electronic mail documents for any appearance of the keywords in the electronic 
10 mail documents. Once the system 10 has identified any target e-mails containing any of the 
;3 specified keywords, the system 1 0 will transfer the target e-mails, or a copy of the target e- 
%| mails, to an appropriate electronic evidence database. 

2 The investigation administration function logic 200 is programmed to include various 
"*\ investigation administration functions in step 238. The investigation aclmimstration functions 
5 1 5 include creating activity documents by selecting a create activity document button 240 in the 

investigation administration display screen 206. Activity documents include tasks for the 
investigators to perform, calendars, a collection of investigation target dates, time-lines of 
suspected activity related to the incident, outstanding and/or completed investigation tasks 
and reports of activities yet to be completed. 

20 In addition, documentation related to an investigation may be generated, displayed 

and printed. The investigation administration function step 238 also provides for the 
generation of investigation reports, including high-level executive reports to chart trends and 
correlate various data. For complicated investigations, the investigation may be broken down 
into more manageable sub-investigations. Each sub-investigation can be managed using the 

25 same tools and functions as described herein for investigation files. 

By selecting a team setup button 242, the system 10 administrator can set up teams 
and sub-teams of investigators and/or define the members of the alert groups discussed above. 
In addition, each investigation may be associated with various indexed terms using an 
indexing tool accessed with an index button 244 to create a searchable database using a 

3 0 search tool accessed with a search button 246. 
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Each investigation can be displayed on the investigation administration display screen 
206 as a line item 248 under headings 249. The line items 248 can be arranged under various 
categories such as the priority of the investigation, the activity state of the investigation, the 
investigator, or by investigation category by selecting one of various investigation view 
buttons 250. Each line item can contain an investigation name, an investigation identification 
number, icons (not shown) to symbolize various aspects of an investigation, and any other 
relevant information, such as dates and/or times. The investigation administration display 
screen 206 can also display statistical information for each category heading 249 such as the 
number of open investigations under the heading 249 and the number of closed investigations 
under that heading 249. The investigation administration display screen 206 can also be used 
to display investigation activities by selecting activity view buttons 252. Example display 
views include activities by calendar, activities by investigation, activities by investigator, 
activities by activity type and activities by investigation team. Links 126 as described more 
fully above are also provided to navigate between the various display screens described 
herein. 

The investigation administration function logic 200 will store all information related 
to each investigation file each time the investigation database is modified or a new 
investigation file is opened (step 256). 

Referring now to Fig. 10, an information technology policy administration screen 300 
is illustrated. The information technology policy a&niiustration screen 300 allows the user to 
carry out matters related to the information technology policy administration function briefly 
mentioned above. The screen 300 allows the user to select among and display one or more 
databases of information using view buttons 302. For example, the system 10 administrator 
can select to view investigation support material containing checklists and procedures to be 
followed upon the receipt of a security alert, when administering incidents and when 
administering investigations. The information technology policy administration function can 
also be used to store information security policies, standards and procedures relating to all 
aspects of an organization's body of information technology. These policies can be 
individually entered into the database or loaded as entire files supplied by a vendor. 
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A document stored by the information technology policy administration function can 
be reviewed in detail by selecting the document displayed as a line item 304 and then 
selecting a review document button 306 to open a document view window (not illustrated) 
containing the text and/or illustrations of the document. Alternatively, the user can double 
click directly on the line item 304. The documents of the information technology policy 
administration function can be indexed based on key words using an indexing tool accessible 
by selecting an index button 308. The index can be subsequently searched using a search tool 
accessible by selecting a search button 310. 

A new policy can be introduced or an existing policy can be changed using a change 
policy/new policy button 312. Selecting this button will open a policy administration 
window (not shown) allowing the system 10 administrator to enter the new policy or edit an 
existing policy and then route the new or changed policy for approval by a policy review 
team. The policies can be routed using e-mail, fax, electronic document transfer or other 
similar method. Approval or denial can be made based on written signature, entering a 
password or providing a digital signature. Members of the policy review team may also 
provide commentary on the new policies to spawn further discussions and/or changes of the 
policies, if desired. The information technology policy administration function can be 
programmed to send automatic reminders to the members of the policy review team if 
approval, denial or comments have not been received within a specified period of time. The 
system 10 administrator can display policies waiting for approval by selecting a policy 
awaiting approval button 314. The system 10 administrator can display commentary on the 
pending policies by policy category, status or author using the discussion buttons 317. 

Once a new policy has been approved or the changes to an existing policy have been 
approved, the system 10 administrator can send a newsletter to all persons to be informed of 
the new or changed policy. To accomplish this, the system 10 administrator can select a 
newsletter button 3 1 6 which will provide the system 10 administrator with menus to select 
the recipient(s) of the newsletter, including predefined groups, such as all employees, all 
managers, all staff, and the like, and menus to specify the policy or policies to be presented in 
the newsletter. The newsletter can also be used to send existing policies to selected members 
of the organization, such as when a new employee or all employees on a periodic basis. 
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The information technology policy administration screen 300 is also provided with an 
approval profiles button 318 for displaying an approval group window (not illustrated). The 
approval group window will provide the system 10 acrniinistrator with menus to select and/or 
enter the members of various approval teams mentioned herein, such as the persons to 
5 approve the opening of an investigation or the persons to approve a new information 

technology policy, standard or procedure. The system 10 administrator can display and/or 
edit request templates, forms (i.e., investigation or new policy approval forms) used to carry 
out the administration functions of the system 10 described herein. The forms and templates 
can be displayed by type or by the approving party by selecting among request buttons 319. 
1 0 The foregoing discussion states that various features and functions of the system 1 0 

•+> can be accessed and carried out by a person with the title of system 1 0 administrator. It 
==! should be understood that accessing each of these features and functions can be limited by 
"5! access control techniques, such as passwords and/or digital signatures. One skilled in the art 
=K will also recognize that the same features and functions are not limited for use by a person 
III 5 given the title of system 1 0 administrator, but can be accessed by any person using the system 

10, either locally or remotely, who has been granted access under the access control 
M techniques. 

=Ct Preferably, the system 10 is provided with multiple levels of access security. More 

1 1 specifically access is controlled on various system 10 levels, such as a database level, a view 
20 level (i.e., display, screen or window) level, a form level, a document level, a document 

portion or section level and a field level. Once logged into the system 10, a user will be able 
to display and work with all material to which he or she has been granted access. Material to 
which the user has not be granted access will be blocked from being displayed, altered, 
viewed, printed and otherwise worked with. In addition, the system 10 is capable of 
25 selectively encrypting database contents at various levels, such as all information stored by 
the database, all information associated with one of the administration functions, a view level, 
a form level, a document level, a document section level and a field level. 

Although the logic routines 50, 100, 150, 200 and 222 (FIGS. 2, 3, 5, 7 and 9) of the 
present invention are embodied in software as discussed above, this logic may alternatively 
30 be embodied in hardware or a combination of software and hardware. If embodied in 
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hardware, the foregoing logic can be implemented as a circuit or state machine that employs 
any one of or a combination of a number of technologies. These technologies may include, 
but are not limited to, discrete logic circuits having logic gates for implementing various logic 
functions upon an application of one or more data signals, application specific integrated 
circuits having appropriate logic gates, programmable gate arrays (PGA), field programmable 
gate arrays (FPGA), or other components, etc. Such technologies are generally well known 
by those skilled in the art and, consequently, are not described in detail herein. 

The diagrams described herein show the architecture, functionality, and operation of 
an implementation of the foregoing logic. If embodied in software, each block may represent 
a module, segment, or portion of code that contains one or more executable instructions to 
implement the specified logical function(s). If embodied in hardware, each block may 
represent a circuit or a number of interconnected circuits to implement the specified logical 
function(s). Although the block diagrams and flow charts show a specific order of execution, 
it is understood that the order of execution may differ from that which is depicted. For 
example, the order of execution of two or more blocks may be altered relative to the order 
shown. Also, two or more blocks shown in succession in may be executed concurrently or 
with partial concurrence. In addition, various blocks may be omitted. It is understood that all 
such variations are within the scope of the present invention. 

Also, the logic can be embodied in any computer-readable medium for use by or in 
connection with an instruction execution system such as a computer/processor based system 
or other system that can fetch or obtain the logic from the computer-readable medium and 
execute the instructions contained therein. In the context of this document, a 
"computer-readable medium" can be any medium that can contain, store, or maintain logic 
and/or data for use by or in connection with the instruction execution system. The computer 
readable medium can be any one of many physical media such as, for example, electronic, 
magnetic, optical, electromagnetic, infrared, or semiconductor media More specific 
examples of a suitable computer-readable medium would include, but are not limited to, a 
portable magnetic computer diskette such as floppy disk, a hard disk, a random access 
memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory, 
or a compact disc. 
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Although particular embodiments of the invention have been described in detail, it is 
understood that the invention is not limited correspondingly in scope, but includes all 
changes, modifications and equivalents coming within the spirit and terms of the claims 
appended hereto. 
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CLAIMS 



What is claimed is: 

1 . A method of responding to an information technology related incident, 
comprising the steps of: 

receiving a computer generated security alert indicative of prohibited activity 
transpiring between a first and a second networked computing device; 

displaying the security alert on an incident response and investigation system for 
analysis by an administrator; 

creating an electronic documentation of a potential computer network misconduct 
incident based on information contained in the security alert; 
G opening an electronic investigation file to facilitate administration of an investigation 

)fi of the potential computer network misconduct incident; 

7! collecting items of electronic evidence relating to the investigation of the potential 

i,p computer network misconduct incident; and 

maintaining the electronic evidence in an electronic evidence database associated with 

Kf the electronic investigation file. 

Ui; 

pi 2. The method according to claim 1, further comprising the step of routing an 

r LI investigation approval form to at least one selected individual for the at least one individual to 
authorize or deny the investigation of the incident. 



generated in response to an action of an author, the author being anonymous. 

4. The method according to any of claims 1 to 3, further comprising the steps of 
establishing a set of criteria for security alert handling and acting upon the security alert based 
on the set of criteria. 



3. 



The method according to any of claims 1 to 2, wherein the security alert is 
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5. The method according to claim 4, wherein the step of acting upon the security 
alert is carried out by a computer system. 

6. The method according to any of claims 1 to 5, further comprising the step of 
digitally notarizing at least one item of electronic evidence contained in the electronic 
evidence database. 

7. The method according to any of claims 1 to 6, further comprising the steps of 
searching a selected electronic mail file for at least one specified word and storing the 
electronic mail file in the electronic evidence database if the at least one specified word is 
present in the electronic mail file. 

8. The method according to any of claims 1 to 7, further comprising the step of 
alerting at least one person that an investigation file has been opened. 

9. The method according to any of claims 1 to 8, further comprising the steps of 
storing a collection of security policies and support guidelines in a database and referring to 
the policies and guidelines when documenting the incident and administering to the 
investigation of the incident. 

10. An information technology incident response and investigation system 
comprising: 

an incoming security alert administration means for receiving a computer generated 
security alert indicative of prohibited activity transpiring between a first and a second 
networked computing device; 

a display for displaying the security alert for analysis by an administrator; 

an incident administration means for creating an electronic incident file to document a 
potential computer network misconduct incident based on information contained in the 
security alert; and 
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an investigation administration means for opening an electronic investigation file to 
facilitate administration of an investigation of the potential computer network misconduct 
incident documented in the incident file. 

1 1 . The system according to claim 10, wherein the security alert is generated in 
response to an action of an author, the author being anonymous. 

12. The system according to any of claims 10 to 1 1, wherein the security alert is 
generated by an information technology security device or software tool. 



policies and support guidelines in a database, the policies and guidelines accessible from the 
incident administration means and the investigation administration means. 

14. The system according to any of claims 1 0 to 1 3, wherein the investigation 
administration means includes an electronic authorization means to approve an opening of an 
investigation file. 



administration means includes an electronic evidence database means associated with the 
electronic investigation file for maintaining items of electronic evidence relating to the 
investigation of the potential computer network misconduct incident. 

16. The system according to claim 15, wherein the electronic evidence database 
means has a digital notarization function for digitally notarizing at least one item of electronic 
evidence contained in the electronic evidence database. 



13. The system according to any of claims 10 to 12, further comprising an 
information technology policy administration means for storing a collection of security 



The system according to any of claims 10 to 14, wherein the investigation 
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1 7. The system according to any of claims 1 0 to 16, wherein the investigation 
administration means includes an electronic mail search tool for searching a selected 
electronic mail file for at least one specified word and storing the electronic mail file in an 
electronic evidence database if the at least one specified word is present in the electronic mail 
file. 

18. The system according to any of claims 10 to 17, further comprising an 
investigation alerting tool for alerting at least one person that an investigation file has been 
opened. 
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curity alert being displayed on an incident response and investigation system 

(58) for analysis by an administrator, documenting the incident (56) based on 
information contained in the security alert; opening an investigation file (64) 
to administratate investigation of the incident; collecting items of electronic 
evidence and maintaining the evidence in an electronic evidence database as- 
sociated with the investigation file (66). An incident response and investigation 
system is also disclosed. The system having an incoming security alert admin- 
istration function for receiving and analyzing security alert, each security alert 
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information technology policy of an organization; an incident administration 
function for creating an incident file to document the event; and an investi- 
gation administration function for administering an investigation of the event 
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